Legal / Privacy Policy
Document · Privacy

Privacy Policy

Effective from
1 April 2026
Last updated
1 April 2026
Version
1.0

This policy explains how TraCarta India Private Limited (“TraCarta”, “we”, “us”) collects, uses, retains, and protects personal data. It covers data we receive through our website and during our tax engagements with corporate clients. It operates under the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and other applicable Indian law.

Download as PDF PII policy Cookie policy Terms of use

1Who we are

TraCarta is a specialist travel-tax firm based in India. We help corporate clients recover GST input tax credit on travel spend, defend their positions during tax scrutiny, and operate ongoing tax practice. We do this through a combination of our partners' tax expertise and an internal engine we call TravelSuite, which captures invoices, reconciles claims, and posts cleared credits into client ERPs.

The legal entity responsible for this policy is TraCarta India Private Limited, registered in India with corporate identity number U63090HR2013PTC051042, with its registered office at 12th Floor, The Executive Centre, Two Horizon, Golf Course Road, Gurugram, Haryana.

Under the DPDP Act, we act as a Data Fiduciary in respect of the personal data we handle. Where we process personal data on behalf of a corporate client (for example, traveller PNRs that pass through their bookings), we may also act as a Data Processor for that client; in those cases the client is the primary Data Fiduciary and the terms of our engagement contract govern the relationship.

2Scope of this policy

This policy applies to personal data that we collect and process:

  • Through our website at tracarta.com and any related subdomains;
  • During our engagements with corporate clients, including data passed to us by clients or fetched on their behalf from third-party systems such as the GST e-invoice portal, airline booking systems, or travel management companies;
  • From individuals who contact us directly (job applicants, prospective clients, individuals exercising data rights);
  • From publicly available sources where lawful (for example, GSTIN registration records on the GST portal).

It does not apply to data we receive that has been fully anonymised, nor to data held by our clients in their own systems. For specifics about how we handle personal data inside our engagements, see also our PII Policy.

What this means in plain English

If you are a traveller whose booking PNR ended up in our system because your employer is our client, this policy and the PII policy together explain what we do with your information. You are not our direct customer, your employer is, but you still have rights under Indian law that we honour.

3Definitions

The following terms have the meanings set out below:

Personal data
Any data about an individual who is identifiable by or in relation to such data. Includes name, contact details, GSTIN, PNR, employment identifiers, and similar.
Data Principal
The individual to whom the personal data relates, as defined in the DPDP Act.
Data Fiduciary
The entity that determines the purpose and means of processing personal data, as defined in the DPDP Act. In most cases, this is us.
Data Processor
An entity processing personal data on behalf of a Data Fiduciary. Where we process data on behalf of a corporate client, we are the Data Processor and the client is the Data Fiduciary.
Engagement
A contracted tax services arrangement between us and a corporate client.
TravelSuite
The internal engine we operate to deliver tax engagements. It is not a product the client licenses; it is the firm's working environment.

4Personal data we collect

4.1From website visitors

When you visit our website, we receive limited technical data such as your IP address, browser type, the pages you view, and approximate location derived from your IP. We also use cookies; see our Cookie Policy for details.

If you submit a form (for example, to request a diagnostic or contact us), we receive the contact information you provide: typically name, email address, phone number, company name, and any free-text message.

4.2From corporate clients and their systems

During an engagement, we receive or fetch the following categories of personal data, depending on the scope:

  • Traveller identifiers, PNRs, passenger names, employee IDs on bookings, travel dates and routes;
  • Employee-to-entity mappings, which person belongs to which legal entity and cost centre within the client's group;
  • Approver records, the names and designations of individuals who approved bookings, expenses, or tax positions;
  • Expense data, expense submissions associated with travel, including amounts, dates, and approval state;
  • GSTIN and entity master data, the client's registered entities, GSTINs, and corresponding state and address information.

We do not knowingly collect government-issued identifier numbers (such as Aadhaar, PAN of individuals, or passport numbers) unless they appear in source documents we are required to process, for example, where a tax invoice itself includes such a number. In those cases the number is held only as part of the source document and is not extracted into a structured record.

4.3From the GST network

For hotel ITC recovery under the e-invoice mandate, we retrieve e-invoices directly from the GST e-invoice portal using the client's GSTIN credentials. These invoices may contain personal data about the traveller (such as the name on the booking). We treat this data as we treat all other engagement personal data.

4.4From job applicants

If you apply for a role, we collect the data you submit: name, contact information, work history, qualifications, and any supporting documents. We may also receive data about you from professional networks where you have made your profile public.

5How we use personal data

We use personal data only for the purposes for which it was collected, including:

  • To deliver the engagement. Reconciling travel invoices, identifying recoverable ITC, preparing claim packages, posting cleared credits into the client's ERP, defending positions during tax scrutiny.
  • To operate our website. Responding to enquiries, scheduling diagnostics, sending requested communications.
  • To meet legal and regulatory obligations. Including responses to lawful demands from tax authorities or other competent bodies.
  • To improve our practice. Internal analysis of engagement patterns to inform the firm's methodology, never in a way that re-identifies any data principal, and never to inform another client's engagement directly (see Section 7).
What we do not do

We do not sell personal data. We do not use personal data for advertising. We do not enrich profiles from third-party data brokers. We do not use personal data from one client's engagement to inform another client's engagement directly, cross-client learning stays at the methodological level, not the data level.

6Lawful basis

Under the DPDP Act, we process personal data on one of two lawful bases:

6.1Consent

For website forms, recruitment, and direct communications with individuals, we rely on the data principal's consent. This is given at the point of submission and may be withdrawn at any time by writing to our Data Protection Officer (see Section 14).

6.2Legitimate uses

For data we receive in the course of a client engagement, we rely on the "certain legitimate uses" basis under Section 7 of the DPDP Act, specifically, the performance of a contract entered into with the data principal's employer, and compliance with applicable tax law. We process such data only for the purposes set out in the engagement contract.

Where required by Indian law, we maintain records of our lawful basis for each category of processing.

7Sharing and disclosure

We share personal data only with the parties below, and only for the purposes stated:

  • The corporate client whose engagement the data relates to, for the deliverables of the engagement (reconciliation reports, posted journal entries, supporting invoice bundles, audit-defence packages).
  • The GST network and tax authorities, for filings, claims, and responses to scrutiny notices, as required under tax law.
  • The firm's auditors and professional advisors, subject to confidentiality obligations.
  • Cloud and IT service providers, including our hosting provider (Microsoft 365 (OneDrive), with data resident in India), under data processing agreements that limit them to processing our instructions only.
  • Competent authorities, where required by a lawful order or in accordance with Indian law.

We do not share personal data between client engagements. Each client's data is logically isolated within TravelSuite with separate encryption keys. See our Security page for the architecture, and the PII Policy for the operational specifics.

8Retention

We retain personal data for as long as the engagement is active, and for a defined period afterwards:

  • Engagement data, for the duration of the engagement plus five years thereafter, to support audit defence and statutory record-keeping under tax law.
  • Website enquiry data, for 24 months from the last contact, after which it is deleted or de-identified.
  • Recruitment data, for 12 months from the conclusion of the recruitment process, unless the candidate consents to longer retention for future opportunities.
  • Statutory records, for as long as applicable Indian law requires.

At the end of the retention period, personal data is securely deleted or fully anonymised so that it can no longer be associated with any data principal.

9Security

We hold personal data inside an architecture designed for tax-audit defensibility. Specifically:

  • All data is encrypted at rest using AES-256, with separate encryption keys per client;
  • Data in transit is encrypted using TLS 1.3, with mutual authentication on partner APIs;
  • Access is role-based and enforced at the data layer, not at the application layer alone;
  • The event log of all data access and processing actions is append-only, events cannot be modified after they are written;
  • All data is held in India, in Microsoft 365 (OneDrive) infrastructure. There are no cross-border data transfers in the data path.

The firm does not pursue SOC 2 or ISO 27001 certifications. Our security posture and the documentation that backs it are available to a client's security team during the diagnostic. See our Security page for the full position.

If there is a breach

In the event of a personal data breach, we will notify the Data Protection Board of India and affected data principals in accordance with the DPDP Act. We maintain an incident response runbook that defines the firm's escalation, containment, notification, and remediation procedures.

10Your rights

Under the DPDP Act, you have the following rights in respect of your personal data:

  1. The right to a summary of the personal data we hold about you and the processing activities we have undertaken;
  2. The right to correction, completion, updating, or erasure of your personal data;
  3. The right to nominate another person to exercise your rights on your behalf, in the event of your death or incapacity;
  4. The right to grievance redressal through the firm in the first instance, and through the Data Protection Board of India if unresolved.

To exercise any of these rights, write to our Data Protection Officer at the contact below. We will respond within the statutory window, typically 30 days.

Where your data is held on behalf of a corporate client (for example, your employer), we will route your request to that client where appropriate, and confirm to you the action taken.

11Children's data

We do not knowingly collect personal data of individuals below the age of 18. Our services are not directed at children. If we become aware that we have collected personal data of a child, we will delete it without undue delay.

12Cross-border transfers

We do not transfer personal data outside India for the purposes of our engagements. All processing happens in India. If this position ever changes, for example, in response to a specific client requirement, we will only transfer data to jurisdictions notified as permitted under the DPDP Act, with the data principal's consent where required.

13Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of the document, and where the change is material we will notify affected data principals directly. Continued use of the website or continuation of an engagement after the effective date of an update constitutes acceptance of the updated policy.

14Contact

For any question, request, or grievance relating to this policy or your personal data, please contact our Data Protection Officer:

Data Protection Officer
Name
Karan Chander
Email
contact@tracarta.in
Postal
12th Floor, The Executive Centre, Two Horizon, Golf Course Road, Gurugram, Haryana
Response window
Typically 30 days
Final note

If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India in accordance with the DPDP Act, 2023.